Analyser for Application Layer

pcapkit.foundation.analysis works as a header quarter to analyse and match application layer protocol. Then, call corresponding modules and functions to extract the attributes.

pcapkit.foundation.analysis._analyse(protocol, file, length=None, *, seekset=0)[source]

Analyse packet.

Parameters

  • protocol (Protocol) – target protocol class

  • file (io.BytesIO) – source data stream

  • length (Optional[int]) – packet length

Keyword Arguments

seekset (int) – original file offset

Returns

If the packet is parsed successfully, returns the parsed packet; otherwise returns None.

Return type

Optional[Protocol]

pcapkit.foundation.analysis.analyse(file, length=None, *, termination=False)[source]

Analyse application layer packets.

Parameters

  • file (io.BytesIO) – source data stream

  • length (Optional[int]) – packet length

Keyword Arguments

termination (bool) – If terminate parsing application layer protocol.

Returns

Parsed application layer protocol.

Return type

Protocol

Notes

Currently, the analysis processes in following order:

  1. FTP

  2. HTTP/1.*

  3. HTTP/2

and Raw as the fallback result.

See also

The analysis processes order is defined by ANALYSE_PROTO.

pcapkit.foundation.analysis.register(module, class_, *, index=None)[source]

Register a new protocol class.

Parameters

  • module (str) – module name

  • class (str) – class name

Keyword Arguments

index (Optional[int]) – Index of the protocol class when inserted to ANALYSE_PROTO.

Notes

The full qualified class name of the new protocol class should be as {module}.{class_}.

pcapkit.foundation.analysis.ANALYSE_PROTO = [('pcapkit.protocols.application.ftp', 'FTP'), ('pcapkit.protocols.application.httpv1', 'HTTPv1'), ('pcapkit.protocols.application.httpv2', 'HTTPv2')]

List of protocols supported by the analyser.